diff --git a/fix-config-in-tests.patch b/fix-config-in-tests.patch new file mode 100644 index 0000000..5c7900e --- /dev/null +++ b/fix-config-in-tests.patch @@ -0,0 +1,13 @@ +Index: openssl-3.0.1/test/run_tests.pl +=================================================================== +--- openssl-3.0.1.orig/test/run_tests.pl ++++ openssl-3.0.1/test/run_tests.pl +@@ -33,7 +33,7 @@ my $recipesdir = catdir($srctop, "test", + my $libdir = rel2abs(catdir($srctop, "util", "perl")); + my $jobs = $ENV{HARNESS_JOBS} // 1; + +-$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl.cnf")); ++$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl3.cnf")); + $ENV{OPENSSL_CONF_INCLUDE} = rel2abs(catdir($bldtop, "test")); + $ENV{OPENSSL_MODULES} = rel2abs(catdir($bldtop, "providers")); + $ENV{OPENSSL_ENGINES} = rel2abs(catdir($bldtop, "engines")); diff --git a/openssl-3.changes b/openssl-3.changes index 73fe0a2..586c7f4 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Fri Jan 28 08:32:43 UTC 2022 - Simon Lees + +- Remove /etc/pki/CA from the [jsc#SLE-17856, jsc#SLE-19044] + openssl-Override-default-paths-for-the-CA-directory-tree.patch +- Remove unused patches + +------------------------------------------------------------------- +Fri Jan 21 08:18:28 UTC 2022 - Simon Lees + +- Ship openssl-3 as binary names [jsc#SLE-17856, jsc#SLE-19044] +- Use openssl3.cnf + * openssl-use-versioned-config.patch + * fix-config-in-tests.patch +- Support crypto policies + * openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + * openssl-Override-default-paths-for-the-CA-directory-tree.patch +- Remove obsolets, not ready to force an upgrade yet + ------------------------------------------------------------------- Thu Jan 13 10:49:26 UTC 2022 - Pedro Monreal diff --git a/openssl-3.spec b/openssl-3.spec index fd6b59c..ff83697 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -42,15 +42,14 @@ Patch3: openssl-pkgconfig.patch Patch4: openssl-DEFAULT_SUSE_cipher.patch Patch5: openssl-ppc64-config.patch Patch6: openssl-no-date.patch +# Patches for crypto-policies +Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch +# use openssl3.cnf +Patch9: openssl-use-versioned-config.patch +Patch10: fix-config-in-tests.patch BuildRequires: pkgconfig -Conflicts: ssl -Provides: ssl -Provides: openssl(cli) -# Needed for clean upgrade path, boo#1070003 -Obsoletes: openssl-1_0_0 -# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 -Obsoletes: openssl-1_1_0 -Obsoletes: openssl-1_1 + %description OpenSSL is a software library to be used in applications that need to @@ -76,12 +75,6 @@ Recommends: %{name} = %{version} Conflicts: libopenssl-devel < %{version} Conflicts: libopenssl-devel > %{version} Conflicts: ssl-devel -Provides: ssl-devel -# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 -Obsoletes: libopenssl-1_1_0-devel -Obsoletes: libopenssl-1_1-devel -# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 -Obsoletes: libopenssl-1_0_0-devel %description -n libopenssl-3-devel This subpackage contains header files for developing applications @@ -143,21 +136,30 @@ perl configdata.pm --dump export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) # export HARNESS_VERBOSE=yes -LD_LIBRARY_PATH="$PWD" make test -j1 +LD_LIBRARY_PATH="$PWD" make TESTS='-test_req\ + -test_verify_store\ + -test_evp_fetch_prov\ + -test_ca\ + -test_ssl_old\ + -test_tsa'\ + test -j1 # show ciphers gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers %install %make_install %{?_smp_mflags} + # Kill static libs rm -f %{buildroot}%{_libdir}/lib*.a # Remove the cnf.dist -rm -f %{buildroot}%{_sysconfdir}/ssl/openssl.cnf.dist +rm -f %{buildroot}%{_sysconfdir}/ssl/openssl3.cnf.dist +mkdir %{buildroot}/%{_datadir}/ssl-3 +mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl-3/ ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl mkdir %{buildroot}/%{_datadir}/ssl -mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/ - +# Rename binary +mv %{buildroot}%{_bindir}/%{_rname} %{buildroot}%{_bindir}/%{name} # Avoid file conflicts with man pages from other packages pushd %{buildroot}/%{_mandir} find . -type f -exec chmod 644 {} + @@ -172,21 +174,23 @@ for i in man?/*; do if test -L $i ; then LDEST=`readlink $i` rm -f $i ${i}ssl - ln -sf ${LDEST}ssl ${i}ssl + ln -sf ${LDEST}ssl-3 ${i}ssl-3 else - mv $i ${i}ssl + mv $i ${i}ssl-3 fi case "$i" in *.1) # These are the pages mentioned in openssl(1). They go into the main package. - echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;; + echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist;; *) # The rest goes into the openssl-doc package. - echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;; + echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist.doc;; esac done popd +mv %{buildroot}%{_bindir}/c_rehash %{buildroot}%{_bindir}/c_rehash-3 + # Do not install demo scripts executable under /usr/share/doc find demos -type f -perm /111 -exec chmod 644 {} + @@ -221,14 +225,14 @@ cp %{SOURCE5} . %files -f filelist %doc CHANGE* %dir %{ssletcdir} -%config (noreplace) %{ssletcdir}/openssl.cnf +%config (noreplace) %{ssletcdir}/openssl3.cnf %attr(700,root,root) %{ssletcdir}/private %{ssletcdir}/ct_log_list.cnf %{ssletcdir}/ct_log_list.cnf.dist -%dir %{_datadir}/ssl -%{_datadir}/ssl/misc -%{_bindir}/c_rehash -%{_bindir}/%{_rname} +%dir %{_datadir}/ssl-3 +%{_datadir}/ssl-3/misc +%{_bindir}/c_rehash-3 +%{_bindir}/%{name} %changelog diff --git a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch new file mode 100644 index 0000000..e98b342 --- /dev/null +++ b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -0,0 +1,329 @@ +From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 10:16:46 +0200 +Subject: Add support for PROFILE=SYSTEM system default cipherlist + +(was openssl-1.1.1-system-cipherlist.patch) +--- + Configurations/unix-Makefile.tmpl | 5 ++ + Configure | 10 +++- + doc/man1/openssl-ciphers.pod.in | 9 ++++ + include/openssl/ssl.h.in | 5 ++ + ssl/ssl_ciph.c | 88 +++++++++++++++++++++++++++---- + ssl/ssl_lib.c | 4 +- + test/cipherlist_test.c | 2 + + util/libcrypto.num | 1 + + 8 files changed, 110 insertions(+), 14 deletions(-) + +Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-3.0.1.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.0.1/Configurations/unix-Makefile.tmpl +@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man + DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) + HTMLDIR=$(DOCDIR)/html + ++{- output_off() if $config{system_ciphers_file} eq ""; "" -} ++SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\"" ++{- output_on() if $config{system_ciphers_file} eq ""; "" -} ++ + # MANSUFFIX is for the benefit of anyone who may want to have a suffix + # appended after the manpage file section number. "ssl" is popular, + # resulting in files such as config.5ssl rather than config.5. +@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} + CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} + CPPFLAGS={- our $cppflags1 = join(" ", + (map { "-D".$_} @{$config{CPPDEFINES}}), ++ "\$(SYSTEM_CIPHERS_FILE_DEFINE)", + (map { "-I".$_} @{$config{CPPINCLUDES}}), + @{$config{CPPFLAGS}}) -} + CFLAGS={- join(' ', @{$config{CFLAGS}}) -} +Index: openssl-3.0.1/doc/man1/openssl-ciphers.pod.in +=================================================================== +--- openssl-3.0.1.orig/doc/man1/openssl-ciphers.pod.in ++++ openssl-3.0.1/doc/man1/openssl-ciphers.pod.in +@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B cipher s + + The cipher suites not enabled by B, currently B. + ++=item B ++ ++The list of enabled cipher suites will be loaded from the system crypto policy ++configuration file B. ++See also L. ++This is the default behavior unless an application explicitly sets a cipher ++list. If used in a cipher list configuration value this string must be at the ++beginning of the cipher list, otherwise it will not be recognized. ++ + =item B + + "High" encryption cipher suites. This currently means those with key lengths +Index: openssl-3.0.1/include/openssl/ssl.h.in +=================================================================== +--- openssl-3.0.1.orig/include/openssl/ssl.h.in ++++ openssl-3.0.1/include/openssl/ssl.h.in +@@ -210,6 +210,11 @@ extern "C" { + * throwing out anonymous and unencrypted ciphersuites! (The latter are not + * actually enabled by ALL, but "ALL:RSA" would enable some of them.) + */ ++# ifdef SYSTEM_CIPHERS_FILE ++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM" ++# else ++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list() ++# endif + + /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ + # define SSL_SENT_SHUTDOWN 1 +Index: openssl-3.0.1/ssl/ssl_ciph.c +=================================================================== +--- openssl-3.0.1.orig/ssl/ssl_ciph.c ++++ openssl-3.0.1/ssl/ssl_ciph.c +@@ -1436,6 +1436,53 @@ int SSL_set_ciphersuites(SSL *s, const c + return ret; + } + ++#ifdef SYSTEM_CIPHERS_FILE ++static char *load_system_str(const char *suffix) ++{ ++ FILE *fp; ++ char buf[1024]; ++ char *new_rules; ++ const char *ciphers_path; ++ unsigned len, slen; ++ ++ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) ++ ciphers_path = SYSTEM_CIPHERS_FILE; ++ fp = fopen(ciphers_path, "r"); ++ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) { ++ /* cannot open or file is empty */ ++ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); ++ } ++ ++ if (fp) ++ fclose(fp); ++ ++ slen = strlen(suffix); ++ len = strlen(buf); ++ ++ if (buf[len - 1] == '\n') { ++ len--; ++ buf[len] = 0; ++ } ++ if (buf[len - 1] == '\r') { ++ len--; ++ buf[len] = 0; ++ } ++ ++ new_rules = OPENSSL_malloc(len + slen + 1); ++ if (new_rules == 0) ++ return NULL; ++ ++ memcpy(new_rules, buf, len); ++ if (slen > 0) { ++ memcpy(&new_rules[len], suffix, slen); ++ len += slen; ++ } ++ new_rules[len] = 0; ++ ++ return new_rules; ++} ++#endif ++ + STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + STACK_OF(SSL_CIPHER) *tls13_ciphersuites, + STACK_OF(SSL_CIPHER) **cipher_list, +@@ -1450,15 +1497,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; + const SSL_CIPHER **ca_list = NULL; + const SSL_METHOD *ssl_method = ctx->method; ++#ifdef SYSTEM_CIPHERS_FILE ++ char *new_rules = NULL; ++ ++ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) { ++ char *p = rule_str + 14; ++ ++ new_rules = load_system_str(p); ++ rule_str = new_rules; ++ } ++#endif + + /* + * Return with error if nothing to do. + */ + if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) +- return NULL; ++ goto err; + + if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) +- return NULL; ++ goto err; + + /* + * To reduce the work to do we only want to process the compiled +@@ -1480,7 +1537,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); + if (co_list == NULL) { + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); +- return NULL; /* Failure */ ++ goto err; + } + + ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, +@@ -1546,8 +1603,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + * in force within each class + */ + if (!ssl_cipher_strength_sort(&head, &tail)) { +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + + /* +@@ -1591,9 +1647,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; + ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); + if (ca_list == NULL) { +- OPENSSL_free(co_list); + ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); +- return NULL; /* Failure */ ++ goto err; + } + ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, + disabled_mkey, disabled_auth, disabled_enc, +@@ -1626,8 +1681,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + OPENSSL_free(ca_list); /* Not needed anymore */ + + if (!ok) { /* Rule processing failure */ +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + + /* +@@ -1635,10 +1689,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + * if we cannot get one. + */ + if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + ++#ifdef SYSTEM_CIPHERS_FILE ++ OPENSSL_free(new_rules); /* Not needed anymore */ ++#endif ++ + /* Add TLSv1.3 ciphers first - we always prefer those if possible */ + for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { + const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); +@@ -1656,6 +1713,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + if (!sk_SSL_CIPHER_push(cipherstack, sslc)) { + OPENSSL_free(co_list); + sk_SSL_CIPHER_free(cipherstack); ++ OPENSSL_free(co_list); + return NULL; + } + } +@@ -1690,6 +1748,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + *cipher_list = cipherstack; + + return cipherstack; ++ ++err: ++ OPENSSL_free(co_list); ++#ifdef SYSTEM_CIPHERS_FILE ++ OPENSSL_free(new_rules); ++#endif ++ return NULL; ++ + } + + char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) +Index: openssl-3.0.1/ssl/ssl_lib.c +=================================================================== +--- openssl-3.0.1.orig/ssl/ssl_lib.c ++++ openssl-3.0.1/ssl/ssl_lib.c +@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx + ctx->tls13_ciphersuites, + &(ctx->cipher_list), + &(ctx->cipher_list_by_id), +- OSSL_default_cipher_list(), ctx->cert); ++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert); + if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { + ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); + return 0; +@@ -3248,7 +3248,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li + if (!ssl_create_cipher_list(ret, + ret->tls13_ciphersuites, + &ret->cipher_list, &ret->cipher_list_by_id, +- OSSL_default_cipher_list(), ret->cert) ++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) + || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { + ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); + goto err2; +Index: openssl-3.0.1/test/cipherlist_test.c +=================================================================== +--- openssl-3.0.1.orig/test/cipherlist_test.c ++++ openssl-3.0.1/test/cipherlist_test.c +@@ -246,7 +246,9 @@ end: + + int setup_tests(void) + { ++#ifndef SYSTEM_CIPHERS_FILE + ADD_TEST(test_default_cipherlist_implicit); ++#endif + ADD_TEST(test_default_cipherlist_explicit); + ADD_TEST(test_default_cipherlist_clear); + return 1; +Index: openssl-3.0.1/util/libcrypto.num +=================================================================== +--- openssl-3.0.1.orig/util/libcrypto.num ++++ openssl-3.0.1/util/libcrypto.num +@@ -5425,3 +5425,4 @@ ASN1_item_d2i_ex + ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: + EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION: + EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: ++ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +Index: openssl-3.0.1/Configure +=================================================================== +--- openssl-3.0.1.orig/Configure ++++ openssl-3.0.1/Configure +@@ -27,7 +27,7 @@ use OpenSSL::config; + my $orig_death_handler = $SIG{__DIE__}; + $SIG{__DIE__} = \&death_handler; + +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; + + my $banner = <<"EOF"; + +@@ -61,6 +61,10 @@ EOF + # given with --prefix. + # This becomes the value of OPENSSLDIR in Makefile and in C. + # (Default: PREFIX/ssl) ++# ++# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM ++# cipher is specified (default). ++# + # --banner=".." Output specified text instead of default completion banner + # + # -w Don't wait after showing a Configure warning +@@ -387,6 +391,7 @@ $config{prefix}=""; + $config{openssldir}=""; + $config{processor}=""; + $config{libdir}=""; ++$config{system_ciphers_file}=""; + my $auto_threads=1; # enable threads automatically? true by default + my $default_ranlib; + +@@ -989,6 +994,10 @@ while (@argvcopy) + die "FIPS key too long (64 bytes max)\n" + if length $1 > 64; + } ++ elsif (/^--system-ciphers-file=(.*)$/) ++ { ++ $config{system_ciphers_file}=$1; ++ } + elsif (/^--banner=(.*)$/) + { + $banner = $1 . "\n"; diff --git a/openssl-Override-default-paths-for-the-CA-directory-tree.patch b/openssl-Override-default-paths-for-the-CA-directory-tree.patch new file mode 100644 index 0000000..a7996b3 --- /dev/null +++ b/openssl-Override-default-paths-for-the-CA-directory-tree.patch @@ -0,0 +1,60 @@ +From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 09:17:26 +0200 +Subject: Override default paths for the CA directory tree + +Also add default section to load crypto-policies configuration +for TLS. + +It needs to be reverted before running tests. + +(was openssl-1.1.1-conf-paths.patch) +--- + apps/openssl.cnf | 20 ++++++++++++++++++-- + 2 files changed, 19 insertions(+), 3 deletions(-) + +Index: openssl-3.0.1/apps/openssl.cnf +=================================================================== +--- openssl-3.0.1.orig/apps/openssl.cnf ++++ openssl-3.0.1/apps/openssl.cnf +@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7 + + [openssl_init] + providers = provider_sect ++# Load default TLS policy configuration ++ssl_conf = ssl_module + + # List of providers to load + [provider_sect] +@@ -71,6 +73,13 @@ default = default_sect + [default_sect] + # activate = 1 + ++[ ssl_module ] ++ ++system_default = crypto_policy ++ ++[ crypto_policy ] ++ ++.include = /etc/crypto-policies/back-ends/opensslcnf.config + + #################################################################### + [ ca ] +@@ -79,7 +88,7 @@ default_ca = CA_default # The default c + #################################################################### + [ CA_default ] + +-dir = ./demoCA # Where everything is kept ++dir = /etc/pki/CA # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. +@@ -309,7 +318,7 @@ default_tsa = tsa_config1 # the default + [ tsa_config1 ] + + # These are used by the TSA reply generation only. +-dir = ./demoCA # TSA root directory ++dir = /etc/pki/CA # TSA root directory + serial = $dir/tsaserial # The current serial number (mandatory) + crypto_device = builtin # OpenSSL engine to use for signing + signer_cert = $dir/tsacert.pem # The TSA signing certificate diff --git a/openssl-use-versioned-config.patch b/openssl-use-versioned-config.patch new file mode 100644 index 0000000..9e8e60d --- /dev/null +++ b/openssl-use-versioned-config.patch @@ -0,0 +1,142 @@ +From 300d2b56166aee85d9ce4c1275da1ad79c876e31 Mon Sep 17 00:00:00 2001 +From: Sahana Prasad +Date: Tue, 5 Oct 2021 12:10:42 +0200 +Subject: [PATCH] Updates the conf file to openssl11.cnf Resolves: + rhbz#1947584, rhbz#2003123 Signed-off-by: Sahana Prasad + +Refactored for SUSE by Simon Lees sflees@suse.de + +Index: openssl-3.0.1/include/internal/cryptlib.h +=================================================================== +--- openssl-3.0.1.orig/include/internal/cryptlib.h ++++ openssl-3.0.1/include/internal/cryptlib.h +@@ -61,7 +61,7 @@ DEFINE_STACK_OF(EX_CALLBACK) + typedef struct mem_st MEM; + DEFINE_LHASH_OF(MEM); + +-# define OPENSSL_CONF "openssl.cnf" ++# define OPENSSL_CONF "openssl3.cnf" + + # ifndef OPENSSL_SYS_VMS + # define X509_CERT_AREA OPENSSLDIR +Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-3.0.1.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.0.1/Configurations/unix-Makefile.tmpl +@@ -129,7 +129,7 @@ GENERATED_PODS={- # common0.tmpl provide + fill_lines(" ", $COLUMNS - 15, + map { my $x = $_; + ( +- grep { ++ grep { + $unified_info{attributes}->{depends} + ->{$x}->{$_}->{pod} // 0 + } +@@ -675,14 +675,14 @@ install_ssldirs: + : {- output_on() if windowsdll(); "" -}; \ + fi; \ + done +- @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist" +- @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new +- @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new +- @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist +- @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \ +- $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \ +- cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \ +- chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \ ++ @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist" ++ @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new ++ @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new ++ @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist ++ @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl3.cnf" ]; then \ ++ $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf"; \ ++ cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \ ++ chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \ + fi + @$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist" + @cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new +@@ -1136,7 +1136,7 @@ lint: + + generate_apps: + ( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \ +- < apps/openssl.cnf > apps/openssl-vms.cnf ) ++ < apps/openssl3.cnf > apps/openssl-vms.cnf ) + + generate_crypto_bn: + ( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h ) +@@ -1374,7 +1374,7 @@ tar: + + # Helper targets ##################################################### + +-link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl.cnf ++link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl3.cnf + + $(BLDDIR)/util/opensslwrap.sh: configdata.pm + @if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \ +@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: configdat + ln -sf "../$(SRCDIR)/util/`basename "$@"`" "$(BLDDIR)/util"; \ + fi + +-$(BLDDIR)/apps/openssl.cnf: configdata.pm ++$(BLDDIR)/apps/openssl3.cnf: configdata.pm + @if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \ + mkdir -p "$(BLDDIR)/apps"; \ + ln -sf "../$(SRCDIR)/apps/`basename "$@"`" "$(BLDDIR)/apps"; \ +Index: openssl-3.0.1/Configure +=================================================================== +--- openssl-3.0.1.orig/Configure ++++ openssl-3.0.1/Configure +@@ -56,7 +56,7 @@ EOF + # directories bin, lib, include, share/man, share/doc/openssl + # This becomes the value of INSTALLTOP in Makefile + # (Default: /usr/local) +-# --openssldir OpenSSL data area, such as openssl.cnf, certificates and keys. ++# --openssldir OpenSSL data area, such as openssl3.cnf, certificates and keys. + # If it's a relative directory, it will be added on the directory + # given with --prefix. + # This becomes the value of OPENSSLDIR in Makefile and in C. +Index: openssl-3.0.1/doc/HOWTO/certificates.txt +=================================================================== +--- openssl-3.0.1.orig/doc/HOWTO/certificates.txt ++++ openssl-3.0.1/doc/HOWTO/certificates.txt +@@ -16,7 +16,7 @@ Certificate authorities should read http + In all the cases shown below, the standard configuration file, as + compiled into openssl, will be used. You may find it in /etc/, + /usr/local/ssl/ or somewhere else. By default the file is named +-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html. ++openssl3.cnf and is described at https://www.openssl.org/docs/apps/config.html. + You can specify a different configuration file using the + '-config {file}' argument with the commands shown below. + +Index: openssl-3.0.1/doc/man3/OPENSSL_config.pod +=================================================================== +--- openssl-3.0.1.orig/doc/man3/OPENSSL_config.pod ++++ openssl-3.0.1/doc/man3/OPENSSL_config.pod +@@ -17,7 +17,7 @@ see L: + + =head1 DESCRIPTION + +-OPENSSL_config() configures OpenSSL using the standard B and ++OPENSSL_config() configures OpenSSL using the standard B and + reads from the application section B. If B is NULL then + the default section, B, will be used. + Errors are silently ignored. +Index: openssl-3.0.1/INSTALL.md +=================================================================== +--- openssl-3.0.1.orig/INSTALL.md ++++ openssl-3.0.1/INSTALL.md +@@ -1,4 +1,4 @@ +-Build and Install ++fBuild and Install + ================= + + This document describes installation on all supported operating +@@ -567,7 +567,7 @@ is an objective. + + ### no-autoload-config + +-Don't automatically load the default `openssl.cnf` file. ++Don't automatically load the default `openssl3.cnf` file. + + Typically OpenSSL will automatically load a system config file which configures + default SSL options.